{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-2828","assignerOrgId":"404fd4d2-a609-4245-b543-2c944a302a22","state":"PUBLISHED","assignerShortName":"isc","dateReserved":"2023-05-22T07:57:41.362Z","datePublished":"2023-06-21T16:26:07.096Z","dateUpdated":"2025-02-13T16:48:38.124Z"},"containers":{"cna":{"providerMetadata":{"orgId":"404fd4d2-a609-4245-b543-2c944a302a22","shortName":"isc","dateUpdated":"2023-07-19T11:06:10.654Z"},"title":"named's configured cache size limit can be significantly exceeded","datePublic":"2023-06-21T00:00:00.000Z","affected":[{"vendor":"ISC","product":"BIND 9","versions":[{"version":"9.11.0","lessThanOrEqual":"9.16.41","status":"affected","versionType":"custom"},{"version":"9.18.0","lessThanOrEqual":"9.18.15","status":"affected","versionType":"custom"},{"version":"9.19.0","lessThanOrEqual":"9.19.13","status":"affected","versionType":"custom"},{"version":"9.11.3-S1","lessThanOrEqual":"9.16.41-S1","status":"affected","versionType":"custom"},{"version":"9.18.11-S1","lessThanOrEqual":"9.18.15-S1","status":"affected","versionType":"custom"}],"defaultStatus":"unaffected"}],"metrics":[{"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"descriptions":[{"lang":"en","value":"Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.\n\nIt has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1."}],"impacts":[{"descriptions":[{"lang":"en","value":"By exploiting this flaw, an attacker can cause the amount of memory used by a `named` resolver to go well beyond the configured `max-cache-size` limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the `max-cache-size` statement is `90%`, in the worst case the attacker can exhaust all available memory on the host running `named`, leading to a denial-of-service condition."}]}],"workarounds":[{"lang":"en","value":"No workarounds known."}],"exploits":[{"lang":"en","value":"We are not aware of any active exploits."}],"solutions":[{"lang":"en","value":"Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.42, 9.18.16, 9.19.14, 9.16.42-S1, or 9.18.16-S1."}],"credits":[{"lang":"en","value":"ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention."}],"references":[{"url":"https://kb.isc.org/docs/cve-2023-2828","name":"CVE-2023-2828","tags":["vendor-advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2023/06/21/6"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3K6AJK7RRSR53HRF5GGKPA6PDUDWOD2/"},{"url":"https://www.debian.org/security/2023/dsa-5439"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEFCEVCTYEMKTWA7V7EYPI5YQQ4JWDLI/"},{"url":"https://security.netapp.com/advisory/ntap-20230703-0010/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00021.html"}],"source":{"discovery":"EXTERNAL"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T06:33:05.796Z"},"title":"CVE Program Container","references":[{"url":"https://kb.isc.org/docs/cve-2023-2828","name":"CVE-2023-2828","tags":["vendor-advisory","x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2023/06/21/6","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3K6AJK7RRSR53HRF5GGKPA6PDUDWOD2/","tags":["x_transferred"]},{"url":"https://www.debian.org/security/2023/dsa-5439","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEFCEVCTYEMKTWA7V7EYPI5YQQ4JWDLI/","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20230703-0010/","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00021.html","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-12-06T18:36:28.183787Z","id":"CVE-2023-2828","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-06T18:36:35.647Z"}}]}}